Question

After using the "-z noexecstack" option to compile a C program, a buffer-overflow attack that causes...

After using the "-z noexecstack" option to compile a C program, a buffer-overflow attack that causes the vulnerable program to return to the code on the stack is supposed to fail, but some students find out that the attack is still successful. What could be the reason? The students did everything correctly.

Engineering   Computer-Science   
0 0
Add a commentTranscribed image text
Next >

Homework Answers

Answer #1

Solution:

Buffer overflow is defined as the condition in which a program attempts to write data beyond the boundaries of pre-allocated fixed length buffers. This vulnerability can be utilized by a malicious user to alter the flow control of the program, even execute arbitrary pieces of code. This vulnerability arises due to the mixing of the storage for data (e.g. buffers) and the storage for controls (e.g. return addresses): an overflow in the data part can affect the control flow of the program, because an overflow can change the return address.

We can load the shellcode into “badfile”, but it will not be executed because our instruction pointer will not be pointing to it. One thing we can do is to change the return address to point to the shellcode. But we have two problems: we do not know where the return address is stored, and we do not know where the shellcode is stored. To answer these questions, we need to understand the stack layout the execution enters a function

Finding the address of the memory that stores the return address.

From the figure, we know, if we can find out the address of buffer[] array, we can calculate where the return address is stored. Since the vulnerable program is a Set-UID program, you can make a copy of this program, and run it with your own privilege; this way you can debug the program (note that you cannot debug a Set-UID program). In the debugger, you can figure out the address of buffer[], and thus calculate the starting point of the malicious code. You can even modify the copied program, and ask the program to directly print out the address of buffer[]. The address of buffer[] may be slightly different when you run the Set-UID copy, instead of of your copy, but you should be quite close.

If the target program is running remotely, and you may not be able to rely on the debugger to find out the address. However, you can always guess. The following facts make guessing a quite feasible approach:

Stack usually starts at the same address.
Stack is usually not very deep: most programs do not push more than a few hundred or a few thousand bytes into the stack at any one time.
Therefore the range of addresses that we need to guess is actually quite small.
(2) Finding the starting point of the malicious code.

If you can accurately calculate the address of buffer[], you should be able to accurately calcuate the starting point of the malicious code. Even if you cannot accurately calculate the address (for example, for remote programs), you can still guess. To improve the chance of success, we can add a number of NOPs to the beginning of the malcious code; therefore, if we can jump to any of these NOPs, we can eventually get to the malicious code. The following figure depicts the attack.

n your exploit program, you might need to store an long integer (4 bytes) into an buffer starting at buffer[i]. Since each buffer space is one byte long, the integer will actually occupy four bytes starting at buffer[i] (i.e., buffer[i] to buffer[i+3]). Because buffer and long are of different types, you cannot directly assign the integer to buffer; instead you can cast the buffer+i into an long pointer, and then assign the integer. The following code shows how to assign an long integer to a buffer starting at buffer

efore working on this task, remember to turn off the address randomization first, or you will not know which protection helps achieve the protection.

In our previous tasks, we intentionally make stacks executable. In this task, we recompile our vulnerable program using the noexecstack option, and repeat the attack in Task 1. Can you get a shell? If not, what is the problem? How does this protection scheme make your attacks difficult. You can use the following instructions to turn on the non-executable stack protection.

gcc -o stack -fno-stack-protector -z noexecstack stack.c
It should be noted that non-executable stack only makes it impossible to run shellcode on the stack, but it does not prevent buffer-overflow attacks, because there are other ways to run malicious code after exploiting a buffer-overflow vulnerability. The return-to-libc attack is an example.

root@ubuntu:/home/seed/Desktop# sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
root@ubuntu:/home/seed/Desktop# gcc -o stack -z noexecstack -fno-stack-protector stack.c
root@ubuntu:/home/seed/Desktop# chmod u+s stack
root@ubuntu:/home/seed/Desktop# exit
exit
seed@ubuntu:~/Desktop$ ./stack
Segmentation fault (core dumped)

#please consider my effort and give me a like...thank u....

0 0
Know the answer?
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Log In

Sign Up

Not the answer you're looking for?
Ask your own homework help question
Similar Questions
For a C program hangman game: Create the function int setup_game [int setup_game ( Game *g,...
For a C program hangman game: Create the function int setup_game [int setup_game ( Game *g, char wordlist[][MAX_WORD_LENGTH], int numwords)] for a C program hangman game. (The existing code for other functions and the program is below, along with what the function needs to do) What int setup_game needs to do setup_game() does exactly what the name suggests. It sets up a new game of hangman. This means that it picks a random word from the supplied wordlist array and...
You will write a program that loops until the user selects 0 to exit. In the...
You will write a program that loops until the user selects 0 to exit. In the loop the user interactively selects a menu choice to compress or decompress a file. There are three menu options: Option 0: allows the user to exit the program. Option 1: allows the user to compress the specified input file and store the result in an output file. Option 2: allows the user to decompress the specified input file and store the result in an...
Hi there, I've been asked to write a program in C which can read values from...
Hi there, I've been asked to write a program in C which can read values from a file then sort them, and then write to a binary file. I'm getting stuck when I write my binary file as the output is just spitting out garbage values and not the values that are being read in. When I print my input file reader everything is perfect but after sorting and then writing, the output is completely wrong. I have checked that...
Complete a Java program named ARMgr that maintains customer accounts receivable in a database. The code...
Complete a Java program named ARMgr that maintains customer accounts receivable in a database. The code to initialize the CustomerAccountsDB database table and add a set of customer accounts is provided. Finish the code in these 3 methods in CustomerAccountDB.java to update or query the database: -purchase(double amountOfPurchase) -payment(double amountOfPayment) -getCustomerName() Hint: For getCustomerName(), look at the getAccountBalance() method to see an example of querying data from the database. For the purchase() and payment() methods, look at the addCustomerAccount() method...
Jim Watanabe was in his new car, driving down I-5, on his way to work. He...
Jim Watanabe was in his new car, driving down I-5, on his way to work. He dreaded the phone call he knew he was going to have to make. The original go-live date for a pilot implementation of Petrie Electronics’ new customer relationship management (CRM) system was July 31. That was only six weeks away, and Jim knew there was no way they were going to be ready. The XRA CRM they were licensing turned out to be a lot...
I did already posted this question before, I did get the answer but i am not...
I did already posted this question before, I did get the answer but i am not satisfied with the answer i did the code as a solution not the description as my solution, so i am reposting this question again. Please send me the code as my solution not the description In this project, build a simple Unix shell. The shell is the heart of the command-line interface, and thus is central to the Unix/C programming environment. Mastering use of...
In narrative essay format, I want you to address a business/organization case study using multiple concepts...
In narrative essay format, I want you to address a business/organization case study using multiple concepts from class. The case question and case text begin on page 5 of this document. You need to demonstrate their best understanding of management and organizational behavior theory, and the application of those ideas to improve the understanding of various issues. You need to clearly identify at least 3 distinct, substantive issues. For each issue you need to 1), identify evidence from the case...
Case Study: Freeman-Brown Private School (FBPS), based in Illinois, was founded in 1944 by the Brown...
Case Study: Freeman-Brown Private School (FBPS), based in Illinois, was founded in 1944 by the Brown and Freeman families. Over the years, the school acquired a reputation as a leading academic institution with an advanced curriculum. Parents described the school as having a highly performing academic environment that provided a rigorous curriculum while fostering a safe, family-oriented atmosphere in a place where community was valued. Not surprisingly, the student population grew and the school opened multiple campuses in the metropolitan...
Please read the article and answear about questions. Determining the Value of the Business After you...
Please read the article and answear about questions. Determining the Value of the Business After you have completed a thorough and exacting investigation, you need to analyze all the infor- mation you have gathered. This is the time to consult with your business, financial, and legal advis- ers to arrive at an estimate of the value of the business. Outside advisers are impartial and are more likely to see the bad things about the business than are you. You should...
read Seasons of Love chapter:measuring a child's life after suicide. please answer the questions : reflect...
read Seasons of Love chapter:measuring a child's life after suicide. please answer the questions : reflect on what happens to the families when there is a suicide in the family, based on the Seasons of Love chapter...how should people be told? What details are best left unshared? below is the story These theories may have a certain face-validity, but they often neglect environmental or contextual factors that are innate to answering the question of “why” a person might engage in...
ADVERTISEMENT
Need Online Homework Help?

Get Answers For Free
Most questions answered within 1 hours.

Ask a Question
ADVERTISEMENT